This post is more than 5 years old
129 Posts
0
16866
Authenticate NFS users from AD
Hi Guys,
is there a way to setup Isilon to authenticate NFS users from AD? Is there anything that needs to be setup on AD side?
I want to setup an Isilon for mixed mode, share a folder trough NFS and SMB, but use AD as authentication source for booth.
Various papers covers only the usual LDAP for NFS, and AD for SMB users.
OneFS 7.1.0.2 plus patch-124564 (Patch for OneFS 7.1.0.0 - 7.1.0.2. This patch addresses multiple issues with the SMB and AIMA services.)
Regards, Krisztian
ACHOUKEKAR
22 Posts
0
June 5th, 2014 21:00
The option in the NFS Export map-lookup-uid can achieve what you are trying to do here.
What that does to the User coming in from NFS client is lookup his identity (UID,GID and Supplemental Groups) from the AD instead of trusting what he provides directly over the wire.
Example:
Lets say a user BOB from Unix/Linux performs "ls -l" on /nfs1 which is an export (enabled with map-lookup-uid) mounted from OneFS; OneFS will not take BOB's UID and GID that he provides over the wire; but instead look-up BOB in AD and get his identity information if AD is configured. Assumption is that AD provides UID,GID (either via SFU/RFC2307) or some other mechanism.
Peter_Sero
1.2K Posts
0
June 4th, 2014 09:00
Any NFS server including Isilon simply trusts in the
numerical user and group ids provided by a client machine.
So the first design question will target the client side,
how are user/group credentials set up on your NFS clients?
AD, or more likely, separate LDAP or NIS?
Then, ask or decide how well AD and LDAP or NIS will be kept in sync,
in particular, will the AD maintain the UNIX groups information
completely, partially, or not at all.
Thus finally you will need to see which user/group mappings will be
left to be done the Isilon side, ideally only few!
The Isilon white papers on multiprotocol acces,
AIMA and (pretty recent one) multiprotocol security
really do come in handy; but how to set up the NFS clients
is naturally a question outside of Isilon.
Feel free to post your considerations in greater detail.
chughh
122 Posts
0
June 4th, 2014 23:00
You need to contact Microsoft for the same
Hope this will help (NFS Authentication)
Also you can refer to points below..
Windows Server 2003 R2
When a UNIX user attempts to access a file shared by Server for NFS, Server for NFS uses either Active Directory Lookup or User Name Mapping to obtain the corresponding Windows user name of that UNIX user. When the Windows user name is obtained, Server for NFS then passes this information to either a domain controller or the security authority of the local server, depending on the type of account (domain or local):
To install Server for NFS Authentication
Peter_Sero
1.2K Posts
1
June 5th, 2014 23:00
> The option in the NFS Export map-lookup-uid can achieve what you are trying to do here.
That's an additional twist, mostly used with more that 16 supplementary groups per user.
Because NFS transmits only the first 16 groups.
You may still want to have the full information about groups right on the clients,
visible to users/apps. So the clients should be connected to either
AD (augmented for UNIX, details as posted by chughh) or LDAP or NIS.